Indiscriminate Warfare For the 21st Century?

For those of you with an even cursory knowledge of World War I, the image above, of soldiers in gas masks should immediately remind you that even some types of warfare can be outlawed, and for good reason. War brings out the worst in people, and unfortunately, in the frenzy of war, some very lethal and deadly things can be brought to the battlefield. During World War I, chemical weapons of all sorts were used, and it was a nasty business.

Public outcry let to the Geneva Protocol, where use (but not stockpiling) was banned. According the Wikipedia article:

The use of deadly poison gas was not only limited to combatants in the front but also civilians as nearby civilian towns were at risk from winds blowing the poison gases through. Civilians living in towns rarely had any warning systems about the dangers of poison gas as well as not having access to effective gas masks. The use of chemical weapons employed by both sides had inflicted an estimated 100,000-260,000 civilian casualties during the conflict. Tens of thousands of more (along with military personnel) died from scarring of the lungs, skin damage, and cerebral damage in the years after the conflict ended. In the year 1920 alone, over 40,000 civilians and 20,000 military personnel died from the chemical weapons effects.

There is always tragedy in war, but weapons of indiscriminate mass destruction such as nuclear, biological, and chemical (NBC) weapons make that tragedy vastly greater. Yes, some biological and chemical weapons have been used over the years since their large scale use in World War I, but for the most part, their use has been relatively minor, and no major power thinks that they would be good to use in a conflict.

The thesis put forward today is that indiscriminate warfare doesn’t just extend to NBC weapons. With the rise of our interconnected world, there has been a great deal of talk about cyberterrorism, and cyberwarfare. Cyberwarfare has already been initiated, with the Stuxnet virus, and one can reasonably assume that it is not the only government sponsored malware out there.

For anyone with a background in industrial controls and some knowledge of cybersecurity, the Stuxnet virus was a tour-de-force piece of work; it was incredibly clever, and did an amazing job of doing what it did (destroying Iranian centrifuges). When this story first broke, my reaction was along the lines of Robert Oppenheimer’s “I am become Death, destroyer of worlds.” The target that the Stuxnet virus attacked was peripherally PCs (that most people are familar with), but the ultimate goal was to affect the PLCs (programmable logic controllers) that ran those Iranian centrifuges.

PLCs are probably some of the most “unsexiest” parts of the computer world; they are generally not the fastest or newest things out there. In fact, one of the attractions of them is that they have very long lifetimes, and you can still get parts for them years after they’ve been developed. Their main job is to run the industrial world; factories, water treatment plants, and good portion of the infrastructure that is in our modern world. They aren’t primarily designed to be cyber secure; their first job is to be bulletproof, and to simply work forever. Control system security is a hot topic these days, and frankly, is a bit scary. Four main things (from the article above) are why these kinds of attacks are more possible these days:

Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems

Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for

Demand for Remote Access – 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system

Public Information – Manuals on how to use control system are publicly available to would be attackers as well as to legitimate users

The fact that Stuxnet was built and released, while technologically amazing, makes it far more possible that others will start to use cyber weapons (if they haven’t been used already). If the US and its allies are allowed to use such weapons, than what of other countries and “non-state actors”? Like biological weapons, cyber weapons can be done far more cheaply than things like nuclear weapons, and they give a great deal of power to smaller and more driven groups.

A cyber attack on the GPS system would make Uber’s valuation plummet (as well as other services that rely on GPS; FedEx, UPS, etc.). A cyber attack on the electrical grid would cripple the economy, and put many people’s lives at risk. The lack of a working Internet would make rumors fly, the news suspect, and the ability to interact with people around the world a great deal harder.

Yes, war is hell, and as it was said, “There never was a good war or a bad peace.” Humanity, although still savage in some respects, has at least learned that some methods of warfare are too horrible to be used, and have put a great opprobrium on certain kinds of behavior. The crippling or corruption of our basic infrastructure could range from effects inconsequential to lethal.

Questions:

Do we need a Geneva Accords on cyberwarfare?

Could we even ban cyberwarfare?

What happens when cyberwarfare hits home? Like drifting chemical gas, a cyber attack on military infrastructure might well drift into the civilian side. Will it take that sort of event to have a meeting of technologically dependent countries to ban such tactics?

Would attacking public infrastructure (such as clean water, sewage plants, electrical distribution grids, traffic systems) be consider an act of war against civilian populations, and war crime?

The ‘Internet of Things’ buzzword is all the rage; might we want to think about how a cyberwar would affect these devices, before blindly going off and implementing them?

The reason for today’s article was due to the latest saber-rattling (keyboard rattling?) from the current US administration regarding the recent election, and the Stuxnet story has been told in detail in other places. Sure, the US could perform a ‘cyber attack’ on a another nation’s industrial base. But, like the nuclear option, this may lead to an escalation that runs wildly out of control. Does this disturb anyone?